Dynamic, resilient virtual sensing system and shadow controller for cyber-attack neutralization

ABSTRACT

An industrial asset may have monitoring nodes (e.g., sensor or actuator nodes) that generate current monitoring node values. An abnormality detection and localization computer may receive the series of current monitoring node values and output an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault. An actor-critic platform may tune a dynamic, resilient state estimator for a sensor node and output tuning parameters for a controller that improve operation of the industrial asset during the current attack or fault. The actor-critic platform may include, for example, a dynamic, resilient state estimator, an actor model, and a critic model. According to some embodiments, a value function of the critic model is updated for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.

This invention was made with Government support under contract number DE-OE0000833 awarded by the Department of Energy. The Government has certain rights in this invention.

BACKGROUND

Industrial control systems that operate physical systems (e.g., associated with power turbines, jet engines, locomotives, autonomous vehicles, etc.) are increasingly connected to the Internet. As a result, these control systems have been increasingly vulnerable to threats, such as cyber-attacks (e.g., associated with a computer virus, malicious software, etc.), that could disrupt electric power generation and distribution, damage engines, inflict vehicle malfunctions, etc. Current methods primarily consider attack detection in Information Technology (“IT,” such as, computers that store, retrieve, transmit, manipulate data) and Operation Technology (“OT,” such as direct monitoring devices and communication bus interfaces). Cyber-attacks can still penetrate through these protection layers and reach the physical “domain” as seen in 2010 with the Stuxnet attack. Such attacks can diminish the performance of a control system and may cause total shut down or catastrophic damage to a plant. Currently, no methods are available to automatically detect, during a cyber-incident, attacks at the domain layer where sensors, controllers, and actuators are located. In some cases, multiple attacks may occur simultaneously (e.g., more than one actuator, sensor, or parameter inside control system devices might be altered maliciously by an unauthorized party at the same time). Note that some subtle consequences of cyber-attacks, such as stealthy attacks occurring at the domain layer, might not be readily detectable. This might be the case, for example, when only one monitoring node is used in a detection algorithm. Note that the phrase “monitoring node” might refer to, for example, a sensor node, an actuator node, or any other type of node. Existing approaches to protect an industrial control system, such as failure and diagnostics technologies, may not adequately address these problems—especially when multiple, simultaneous attacks occur since such multiple faults/failure diagnostic technologies are not designed for detecting stealthy attacks in an automatic manner.

It may be important to maintain an industrial asset's functionality during an attack. For example, an operator may want a power generation plant to continue to provide electricity even when one or more sensors, actuators, etc. are the subject of a cyber-attack. It may similarly be desired to operate the asset when one or more monitoring nodes fail. Moreover, it may be advantageous to provide protection for an industrial asset without requiring redundant components (e.g., industrial control systems) and/or any major changes and/or re-design of controllers. In some cases, a virtual sensing system may get a portion of sensor measurements that are healthy and uncompromised and use that information to provide healthy estimations for the measurements of the sensors that are compromised. Since the compromised and uncompromised portions of the measurements might be any subset of the system sensors, this approach may present a combinatorial problem that requires that a substantial number of estimation models be developed and stored. As a result, this technique can require a relatively long development time frame using brute force methods.

In some approaches, a virtual sensing system may get a portion of the sensor measurements that are healthy and uncompromised and uses that information to provide healthy estimations for the measurements of the sensors that are compromised. Moreover, an unsupervised learning method can be used to reconstruct the compromised sensors from the uncompromised ones. However, such a method does not use information about the attack surface and hence may be limited in prediction accuracy. Further note that attacks and/or faults may be experience at a controller node which can have different implications as compared to a sensor node. It may therefore be desirable to react to an attack and/or fault that occurs at a controller node (e.g., including an actuator node) in a relatively quick and effective way to maintain operation of an industrial asset.

SUMMARY

According to some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. An abnormality detection and localization computer may receive the series of current monitoring node values and output an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault. An actor-critic platform may tune a dynamic, resilient state estimator for a sensor node and output tuning parameters for a controller that improve operation of the industrial asset during the current attack or fault. The actor-critic platform may include, for example, a dynamic, resilient state estimator, an actor model, and a critic model. According to some embodiments, a value function of the critic model is updated for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.

Some embodiments comprise: means for receiving, by an abnormality detection and localization computer, the series of current monitoring node values; means for outputting, by the abnormality detection and localization computer, an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault; means for tuning, by an actor-critic platform coupled to the abnormality detection and localization computer and a controller, a dynamic, resilient state estimator for a sensor node; and means for outputting, by the actor-critic platform, tuning parameters for the controller that improve operation of the industrial asset during the current attack or fault, wherein the actor-critic platform includes the dynamic, resilient state estimator, an actor model, and a critic model such that a value function of the critic model is updated for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.

Some technical advantages of some embodiments disclosed herein are improved systems and methods to protect an industrial asset from cyber-attacks and faults in an automatic, quick, and accurate manner.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a method according to some embodiments.

FIG. 2 is a system architecture to implement an actor critic reinforcement learning estimator in accordance with some embodiments.

FIG. 3 is a more detailed system architecture to implement an actor critic reinforcement learning estimator according to some embodiments.

FIG. 4 is a method to implement an actor critic reinforcement learning estimator in accordance with some embodiments.

FIG. 5 is system with on-line and off-line training for an actor critic reinforcement learning estimator according to some embodiments.

FIG. 6 is a more detailed system with on-line and off-line training for an actor critic reinforcement learning estimator in accordance with some embodiments.

FIG. 7 is a method for on-line and off-line training for an actor critic reinforcement learning estimator according to some embodiments.

FIG. 8 is a high-level block diagram of a system to protect an industrial asset according to some embodiments.

FIG. 9 is an industrial asset protection method in accordance with some embodiments.

FIG. 10 is a block diagram of an industrial asset protection system according to some embodiment.

FIG. 11 illustrates a method of generating an abnormality alert in accordance with some embodiments.

FIGS. 12 and 13 illustrate features, feature vectors, and decision boundaries in accordance with some embodiments.

FIG. 14 is an abnormality detection model creation method according to some embodiments.

FIG. 15 is a correlation heat map of monitoring nodes in accordance with some embodiments.

FIG. 16 includes a portion of a virtual sensor lookup table according to some embodiments.

FIG. 17 is an example of a global threat protection system in accordance with some embodiments when multiple gas turbines are involved in a system.

FIG. 18 is a method that might be associated with an on-line operational process in accordance with some embodiments.

FIG. 19 is a method of determining whether an attack is an independent attack or a dependent attack according to some embodiments.

FIG. 20 illustrates a feature time series of an attack comparing the real-time feature of a monitoring node to the modeled feature of the monitoring node according to some embodiments.

FIG. 21 illustrates a feature time series of a stealthy attack comparing the real-time feature of a monitoring node to the modeled feature of a monitoring node in accordance with some embodiments.

FIG. 22 is an example of attack localization in a multiple-attack scenario according to some embodiments.

FIG. 23 is a causal dependency matrix of monitoring nodes in accordance with some embodiments.

FIG. 24 is an autonomous reconfigurable virtual sensing system architecture according to some embodiments.

FIG. 25 illustrates a sliding window technique for real-time measurements in accordance with some embodiments.

FIG. 26 is a method according to some embodiments.

FIG. 27 is an example of features in principal component space in accordance with some embodiments.

FIG. 28 is an example of an auto-encoder including encoder and decoder parts according to some embodiments.

FIG. 29 illustrates a system associated with an optimization problem in accordance with some embodiments.

FIG. 30 is a method in accordance with some embodiments.

FIG. 31 is a schematic showing a multiple model approach for neutralization according to some embodiments.

FIG. 32 is a multiple model method in accordance with some embodiments.

FIG. 33 is a schematic showing a single model approach for neutralization according to some embodiments.

FIG. 34 is a single model method in accordance with some embodiments.

FIG. 35 is schematic showing a two-layer method (deploying supervised and unsupervised neutralization algorithms simultaneously according to some embodiments.

FIG. 36 is a two-layer method in accordance with some embodiments.

FIG. 37 is a block diagram of an industrial asset protection platform according to some embodiments of the present invention.

FIG. 38 is a tabular portion of a virtual sensor database in accordance with some embodiments.

FIG. 39 is a virtual sensor display according to some embodiments.

FIG. 40 is an autonomous reconfigurable virtual sensing system in accordance with some embodiments.

DETAILED DESCRIPTION

In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of embodiments. However, it will be understood by those of ordinary skill in the art that the embodiments may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the embodiments.

Industrial control systems that operate physical systems are increasingly connected to the Internet. Note that, as used herein, the term “industrial” might be associated with any system that is connected to an external source, such as the Internet in the case of a cyber-physical system or locally operating an air-gapped physical system. As a result, these control systems have been increasingly vulnerable to threats and, in some cases, multiple attacks may occur simultaneously. Protecting an asset may depend on detecting such attacks as well as naturally occurring faults and failures. Existing approaches to protect an industrial control system, such as failure and diagnostics technologies, may not adequately address these threats—especially when multiple, simultaneous attacks occur. It would therefore be desirable to protect an industrial asset from cyber threats in an automatic and accurate manner. In particular, an operator of an industrial asset might want to implement “accommodation” procedures such that critical functions of the asset may automatically still function even in the event of one or more cyber-attacks or monitoring node failure (e.g., by replacing unhealthy sensor node data values with virtual sensor data values based on information obtained from other, healthy nodes).

Some embodiments described herein may provide a system and method for an autonomous, reconfigurable virtual sensing and resilient control system to neutralize an effect of anomalies (e.g., cyber-attacks or faults) in a measurements or control system. In this approach, a resilient state estimator and a resilient controller may be developed which are in turn adapted for near-optimal and safe operation during faults using an Actor Critic Reinforcement (“ACRE”) learning architecture. The system may be trained using normal and attack data in simulation before it first deployment to help ensure safe nominal operation, beyond which it may continue learning in the field to achieve even higher-fidelity performance.

FIG. 1 is a method according to some embodiments. At S110, an abnormality detection and localization computer may receive a series of current monitoring node values. At S120, the abnormality detection and localization computer may output an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault. At S130, an actor-critic platform, coupled to the abnormality detection and localization computer and a controller (e.g. a controller that is based on substantially real-time optimization, an adaptive controller, and/or an adaptive model predictive controller), may tune a dynamic, resilient state estimator for a sensor node. The actor-critic platform may then output tuning parameters for the controller that improve operation of the industrial asset during the current attack or fault at S140. Note that the actor-critic platform may include the dynamic, resilient state estimator, an actor model that tunes the controller parameters as appropriate, and a critic model such that a value function of the critic model is updated for each action of the actor model at S150 and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.

In unsupervised, semi-supervised, or supervised methods of cyber-attack neutralization (e.g., as described in with respect to FIGS. 26 through 36), the focus may be on neutralizing attacks on sensor measurements by means of providing estimates of the compromised sensors from healthy sensors. However, the controller may rely on the estimates to maintain industrial asset operation that does not remain optimal or safe. Moreover, the existing methodologies may easily accommodate attacks on actuator nodes. According to some embodiments, an architecture may be provided such that the controller and estimator work concurrently during an attack (or fault) to mitigate the abnormality more effectively and thereby improve performance and encourage safe operation of the industrial asset.

FIG. 2 is a system architecture 200 to implement an actor-critic platform (e.g., an ACRE learning estimator 250) in accordance with some embodiments. The ACRE learning estimator 250 may be coupled to a plant model 210, a controller (such as an adaptive Model Predictive Controller (“MPC”)) 220, an attack detection and localization element 240, and an attack vector catalogue 260. According to some embodiments, a plant building 230 is coupled to the adaptive MPC 220 and the attack detection and localization element 240.

FIG. 3 is a more detailed system architecture 300 to implement an ACRE learning estimator 350 according to some embodiments. As before, the ACRE learning estimator 350 may be coupled to a high-fidelity plant model 310, an adaptive MPC 320, an attack detection and localization element 340, and an attack vector catalogue 360. According to some embodiments, a plant building 330 (which may be subject to an attack or fault) may be coupled to the adaptive MPC 320 and the attack detection and localization element 340. As can be seen in the FIG., the ACRE learning estimator 350 may include: an actor 352 to tune the model predictive controller 320, a resilient state estimator 354 (e.g., associated with a DQN), and a critic 356 to tune the resilient state estimator 354. In this way, a novel system architecture 300 and methodology may help make an industrial control system more resilient to cyber-attacks that affects the normal operation of a subset of monitoring nodes.

The ACRE learning block 350 may on one hand tune the resilient state estimator 354 for full state reconstruction from sensor nodes which may be spoofed as well as the parameters of the adaptive MPC 320 block for improved operation during a cyber-attack or fault. The attack detection and localization 340 block may inform the ACRE block 350 when an attack has occurred along with which nodes were affected. The ACRE 350 may then provide a full state estimate to the MPC 320 block along with tuning parameters (e.g., optimization constraints, set points, weights, etc.) so that it can still provide improved and safe operation while mitigating the effects of an attack or fault.

Note that full state feedback might be provided for the operation of the adaptive MPC 320 module. Further, embodiments might adapt the plant model 310 to various environmental conditions and/or attack scenarios, which can result in a highly complex and non-linear model. Although traditional algorithms such as an Extended Kalman Filter (“EKF”) or an Unscented Kalman Filter (“UKF”) might be used for non-linear estimation to update model parameters, these may require a-priori knowledge of the structure (such as Gaussian noise) of the observation dynamics which can be hard to achieve for an entire attack surface. Also, significant deviation from the anticipated operating may be harder to accommodate using EKF or UKF approaches. To circumvent these limitations, ACRE learning 359 based resilient state estimator 354 may reconstruct a full state using information from healthy nodes during an attack scenario and learn the observation model on-line. In this way, a larger uncertainty envelope may be tackled without sacrificing system performance, which can be especially important in attack scenarios where the system experiences significant excursions from normal operating conditions. One choice for such an implementation is a DQN (although other approaches may be used instead).

The mutual and simultaneous tuning of the actor-critic blocks 352, 356 may help the overall system 300 adapt faster in an uncertain environment (which is typically not achievable separately). A separate estimator (e.g., associated with value-based learning) and controller (e.g., associated with policy-based learning) would either require more episodic iterations for optimal exploration-exploitation (and hence slow convergence) to achieve joint optimality or result in ε-greedy control actions. In the combined actor-critic architecture, however, the value function of the critic 356 may be updated for every action of the actor 352, whereas the action of the actor 352 may be evaluated by the critic 356 at each time step to update the policy. Thus, by not waiting for entire episodes to update each other, the ACRE 350 may learn faster by exploring and learning more quickly as compared to two separate learning agents. In this scenario, the critic 356 may update the weights of the DQN based resilient state estimator 354 and the actor 352 may update the parameters (e.g., weighting matrices, type and values of constraints, key plant model parameters, etc.) of the adaptive MPC 320 for improved operation under both normal and attacked (or fault) scenarios.

FIG. 4 is a method to implement an ACRE learning estimator in accordance with some embodiments. At S410, an abnormality detection and localization computer may receive a series of current monitoring node values. At S420, the abnormality detection and localization computer may output an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault. At S430, an ACRE platform, coupled to the abnormality detection and localization computer and a MPC, may tune a dynamic, resilient state estimator DQN for a sensor node. The ACRE platform may then output tuning parameters for MPC that improve operation of the industrial asset during the current attack or fault at S440. Note that the ACRE platform may include the dynamic, resilient state estimator DQN, an actor model, and a critic model such that a value function of the critic model is updated for each action of the actor model at S450 and each action of the actor model is evaluated by the critic model to update a policy of the ACRE platform and the process may continue at S410. Note that bi-directional communication between a resilient estimator and a resilient controller for simultaneous updates may lead to faster adaptation in an uncertain environment. As a result, the system may learn and/or accommodate an expanding attack surface more effectively.

FIG. 5 is system 500 with on-line and off-line training for an ACRE learning estimator according to some embodiments. During off-line operation (e.g., before the system 500 is deployed), an ACRE platform 550 may receive information from an attack detection and localization element 540 (e.g., in accordance with an attack vector catalogue 560) and exchange data with an adaptive MPC 520. The adaptive MPC 520 may also provide information to a high-fidelity plant model 510 which, in turn, provides data to the attack detection and localization element 540. During on-line operation (e.g., to implement continuous learning while the industrial asset is operating), a trained ACRE platform 551 may receive information an attack detection and localization element 541 and exchange data with an adaptive MPC 521. An embedded model 523 of the adaptive MPC 51 may provide information to a plant building 531 which, in turn, provides data to an attack detection and localization element 541.

FIG. 6 is a more detailed system 600 with on-line and off-line training for an ACRE learning estimator in accordance with some embodiments. As before, during off-line operation, an ACRE platform 650 (comprising an actor model 652, resilient state estimator DQN 654, and critic model 656) may receive information from an attack detection and localization element 640 (e.g., in accordance with an attack vector catalogue 660) and exchange data with an adaptive MPC 620. The adaptive MPC 620 may also provide information to a high-fidelity plant model 610 which, in turn, provides data to the attack detection and localization element 640. During on-line operation, a trained ACRE platform 651 (comprising an actor model 653, resilient state estimator DQN 655, and critic model 657) may receive information an attack detection and localization element 641 and exchange data with an adaptive MPC 621. An embedded model 623 of the adaptive MPC 621 may provide information to a plant building 631 which, in turn, provides data to an attack detection and localization element 641.

Note that a key challenge to make an ACRE system deployable may be the ability to train it sufficiently so that during the initial phases of deployment it is mature enough to maintain safe operation. To this end, a high-fidelity plant model may be used, and insights of attack scenarios may be derived from domain knowledge and high-fidelity simulations to create an appropriate attack catalogue against which the ACRE and attack detection and localization modules may be trained and validated before first deployment. This might be especially important for new assets where little data is available beforehand but can also be helpful to reduce data requirement for existing units (improving flexibility).

FIG. 7 is a method for on-line and off-line training for an actor critic reinforcement learning estimator according to some embodiments. At S710, the system may train an ACRE platform using a high-fidelity plant model and domain knowledge to create an abnormality catalogue. At S720, continuous on-line learning may be performed based on sensor readings and actions of a controller. In this way, embodiments may provide a neutralization architecture to accommodate faults in both sensing nodes and actuation nodes. Moreover, lower development time may result because the system only needs to be trained in simulation for nominal performance (and continuous learning in the field to may accommodate uncertainties in the environment in a more effective manner).

Consider, for example, a Heating, Ventilating, and Air Conditioning (“HVAC”) system with three fans that are each operated by a controller node. If a cyber-attack occurs on two of the controller nodes, the system might attempt to operate the remaining normal fan at an unreasonable speed to compensate for the two attacked controller nodes. This, however, could damage or destroy that fan. To avoid such a result, a “shadow” controller in accordance with any of the embodiments described herein might increase to the speed of the normal fan as much as possible while still maintaining safe operation of the HVAC system.

Once deployed, an ACRE system may keep learning continuously based on the sensor readings and actions of the controller. Consider an example of an MPC formulated with a quadratic cost function: x_(k) ^(T)Qx_(k)+u_(k) ^(T)Ru_(k) (where x represents system states, u represents MPC actuators, and Q and R are appropriately sized weight matrices) and a chance constraint

(Ax_(k)<b)≥1−α (where A is the constraint coefficient matrix and b is the bound vector; in the case of non-linear constraints A and b can be obtained through suitable linearization, a determines constraint hardness). In order to maintain safe and near optimal operation under attack scenarios, the parameters Q, R, A, b, α may be re-tuned for changed uncertainties. The selection of optimal parameter vector θ=[Q R A b α] in a given scenario can be done using a policy-based reinforcement learning, where the MPC serves as the given policy or controller structure. At each time step, the actor may update the policy parameters: θ_(k)=θ_(k-1)+α_(k-1)Q_(w)(s_(k-1), α_(k-1))∇θ ln π_(θ)(a_(k-1)|s_(k-1)), where θ is the learning rate, Q_(w)(s, a) is the action value function parametrized by w for action a in state s and π₀(a|s) is the policy (e.g., the MPC control action) parametrized by θ. Based on the action value, the Temporal Difference (“TD”) error may be computed next as δ_(k)=r_(k)+γQ_(w)(s_(k), a_(k))−Q_(w)(s_(k-1), a_(k-1)), where r_(k) is the reward at step k and γ is a discount factor. The computed TD error then in turn may be used to update the parameters of the action value function (e.g., the weights of the DQN) as: w_(k)=w_(k-1)+α_(w)δ_(k)∇_(w)Q_(w)(s_(k-1), a_(k-1)), where α_(w) is the learning rate. The mutual and simultaneous tuning of the actor-critic blocks may help the overall system adapt faster in an uncertain environment. In current approaches, a separate estimator (e.g., associated with value-based learning) and controller (e.g., associated with policy-based learning) require sequential episodic iterations for joint optimal exploration-exploitation. According to some of the ACRE architectures described herein, however, the value function of the critic may be updated for every action of the actor, and the action of the actor model is evaluated by the critic at each time step to update the policy (accelerating convergence to a joint optimal solution in uncertain conditions).

Some embodiments described herein may provide a system and method for autonomous reconfigurable virtual sensing to neutralize the effect of anomalies (cyber-attacks or faults) in the system measurements. The system may provide correct estimates of the compromised sensor measurements using the uncompromised sensor measurements, thus replacing the compromised sensors with healthy “virtual” (e.g., soft or surrogate) sensors. The virtual sensing estimator may use unsupervised learning methods to extract important features from sensor data in healthy conditions and cast an optimization problem that is solved on-line to reconstruct the attacked sensors in the underlying feature space. The method may work with various invertible features set with determined mapping from sensor-to-feature and feature-to-sensor spaces. The optimization problem may be a constrained one, in some embodiments, where domain knowledge is utilized to determine the constraints. The system may be scalable because it requires minimal knowledge of the underlying system model and possible attack scenarios. Moreover, the identification of the dominant features of the sensor data may be done off-line, in an unsupervised way, using only normal operation data (that is, labeled data for attacks might not be required). The system may assume that a critical subset of measurements is reliable under various attack conditions, and these measurements may be enough to exercise a system predictive model for the rest of the sensors.

Some embodiments provide a system and method for autonomous, reconfigurable virtual sensing to neutralize the effect of anomalies (e.g., cyber-attacks and/or faults) in system measurements. Based on off-line training data and potential attack surfaces, neutralization model(s) may be developed for different (classes of) attack scenarios that are deployed to provide correct estimates of the compromised sensor measurements using uncompromised sensor measurements. Note that only knowledge of the attack surface is needed to train the models on normal data; actual attack data is not required (although the availability of such data may improve performance). However, knowledge of an attack surface and/or attack catalogue may be necessary to determine a training regime of the models to keep the problem tractable. Two complementary approaches are described along with a combination of approaches that might be chosen to strike an optimal prediction accuracy versus memory requirement tradeoff. In the first approach, an individual model is trained for each attack vector in the catalogue, and the appropriate model may be selected during an attack based on upstream localization model recommendations. In the alternative approach, a single model is trained, and attack information is passed by coding it differently as compared to normal operational values of the sensor. Thus, during an attack, based on the recommendation of a localization module, compromised sensor values are coded appropriately before being passed to a neutralization module (which thereby helps the model perform appropriate reconstructions).

FIG. 8 is a high-level architecture of a system 800 that might be used to protect an industrial asset such as a gas turbine. The system 800 may include a plurality of monitoring nodes 810, each monitoring node generating a series of current monitoring node values over time that represent current operation of the industrial asset (e.g., a temperature, a speed, a voltage, etc.). An abnormality detection computer 860 coupled to the monitoring nodes 810 may be adapted to determine that a particular monitoring node is currently being attacked by a cyber-threat or is experiencing a failure (e.g., a sensor might be stuck). A dynamic, resilient estimator 850 may receive an indication of the abnormal monitoring node and, as a result, estimate a series of virtual node values for the attacked monitoring node based on information received from monitoring nodes that are not currently being attacked (e.g., using a lookup table 855). In some embodiments, an estimation of series of virtual node values happens in real-time during normal operation as opposed to estimating the virtual node values after the abnormal monitoring node information is received. Soon after the abnormal monitoring node information is received, signals from abnormal monitoring nodes may be replaced by the most current virtual node values. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node with the virtual node values (e.g., as illustrated by the dashed arrow output 852 in FIG. 8).

FIG. 9 is an industrial asset protection method that might be associated with the elements of the system of FIG. 8. Note that the flowcharts described herein do not imply a fixed order to the steps, and embodiments of the present invention may be practiced in any order that is practicable. Note that any of the methods described herein may be performed by hardware, software, or any combination of these approaches. For example, a computer-readable storage medium may store thereon instructions that when executed by a machine result in performance according to any of the embodiments described herein.

At S910, a dynamic, resilient estimator may construct, using only normal monitoring node values over time that represent a normal operation of the industrial asset, a latent feature space, of lower dimensionality as compared to a temporal monitoring node space, associated with latent features. At S920, the dynamic, resilient estimator may construct, using only normal monitoring node values over time that represent a normal operation of the industrial asset, functions to project monitoring node values into the latent feature space. Responsive to an indication that the at least one abnormal monitoring node is currently being attacked or experiencing a fault, at S930 the system may automatically compute optimal values of the latent features to minimize a reconstruction error associated with the monitoring nodes not currently being attacked or experiencing a fault. At S940, the system may project the optimal values from the latent feature space back into the temporal monitoring node space to provide estimated values of the at least one abnormal monitoring node currently being attacked or experiencing a fault. At S950, the current series of monitoring node values from the at least one abnormal monitoring node may be replaced with the estimated values.

Note that a determination that a particular monitoring node is currently abnormal might be based on an abnormality detection model created for the industrial asset. For example, FIG. 10 is an example of an industrial asset protection system 1000. The system 1000 may include a “normal space” data source 1020 storing, for each of a plurality of monitoring nodes 1010, a series of normal values over time that represent normal operation of an industrial asset (e.g., collected from actual monitoring node 1010 data as illustrated by the dashed line in FIG. 10). The system 1000 may also include an “abnormal space” data source 1030 storing series of values over time associated with monitoring nodes undergoing a cyber-attack (e.g., as recorded during an actual attack or as predicted by a high-fidelity physics-based industrial asset model) and/or experiencing a failure.

Information from the normal space data source 1020 and the abnormal space data source 1030 may be provided to an abnormality detection model creation computer 1060 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from abnormal behavior). The decision boundary may then be used by an abnormality detection computer 1050 executing an abnormality detection model 1055. The abnormality detection model 1055 may, for example, monitor streams of data from the monitoring nodes 1010 comprising data from sensor nodes, actuator nodes, and/or any other critical monitoring nodes (e.g., monitoring nodes MN₁ through MN_(N)) and automatically output an abnormality alert (e.g., indicating that various monitoring nodes of the industrial asset are normal, attacked, or experiencing a fault) to one or more remote monitoring devices 1070 when appropriate (e.g., for display to a user) and/or to a dynamic, resilient estimator. As used herein, the terms “automatically” or “autonomous” may refer to, for example, actions that can be performed with little or no human intervention. According to some embodiments, information about a detected abnormality may also be transmitted back to an industrial control system.

As used herein, devices, including those associated with the system 1000 and any other device described herein, may exchange information via any communication network which may be one or more of a Local Area Network (“LAN”), a Metropolitan Area Network (“MAN”), a Wide Area Network (“WAN”), a proprietary network, a Public Switched Telephone Network (“PSTN”), a Wireless Application Protocol (“WAP”) network, a Bluetooth network, a wireless LAN network, and/or an Internet Protocol (“IP”) network such as the Internet, an intranet, or an extranet. Note that any devices described herein may communicate via one or more such communication networks.

The abnormality detection model creation computer 1060 may store information into and/or retrieve information from various data stores, such as the normal space data source 1020 and the abnormal space data source 1030. The various data sources may be locally stored or reside remote from the abnormality detection model creation computer 1060. Although an abnormality threat detection model creation computer 1060 is shown in FIG. 10, any number of such devices may be included. Moreover, various devices described herein might be combined according to embodiments of the present invention. For example, in some embodiments, the abnormality detection model creation computer 1060, normal space data source 1020, and abnormal space data source 1030 might comprise a single apparatus. The abnormality detection model creation computer 1060 and/or abnormality detection computer 1050 functions may be performed by a constellation of networked apparatuses, in a distributed processing or cloud-based architecture.

A user may access the system 1000 via one of the monitoring devices 1070 (e.g., a Personal Computer (“PC”), tablet, or smartphone) to view information about and/or manage attack and fault information in accordance with any of the embodiments described herein. In some cases, an interactive graphical display interface may let a user define and/or adjust certain parameters (e.g., attack detection trigger levels or model configurations) and/or provide or receive automatically generated recommendations or results from the abnormality detection model creation computer 1060 and/or the abnormality detection computer 1050.

The decision boundary associated with the abnormality detection model 1055 can be used to detect cyber-attacks. For example, FIG. 11 is an industrial asset protection method that might be implemented according to some embodiments. At S1110, the system may receive, from a plurality of monitoring nodes, a series of current values over time that represent a current operation of an industrial asset. The system may also generate, based on the received series of current values, a set of current feature vectors. At S4110, an abnormality detection model may be accessed including at least one decision boundary. At S1130, the model may be executed, and an abnormality alert may be transmitted (e.g., to a dynamic, resilient estimator) based on the set of current feature vectors and the decision boundary when appropriate (e.g., when a cyber-attack or fault is detected). According to some embodiments, one or more response actions may be performed when an abnormality alert is transmitted. For example, the system might automatically shut down all or a portion of the industrial asset (e.g., to let the detected potential cyber-attack or fault be further investigated). As other examples, one or more parameters might be automatically modified, a software application might be automatically triggered to capture data and/or isolate possible causes, a virtual sensor might be created or deployed, etc.

When available, a system may take advantage of the physics of an industrial asset by learning a priori from tuned high fidelity equipment models and/or actual “on the job” data to detect single or multiple simultaneous adversarial threats to or faults in the system. Moreover, monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the control system may be monitoring in substantially real-time. Abnormalities may be detected by classifying the monitored data as being “normal” or “abnormal” (e.g., “attacked”). This decision boundary may be constructed in feature space using dynamic models and may help enable early detection of vulnerabilities (and potentially avert catastrophic failures) allowing an operator to restore the control system to normal operation in a timely fashion. Note, however, that in many cases a physics-based model of an industrial asset might not be readily available.

FIGS. 12 and 13 illustrate features, feature vectors, and decision boundaries in accordance with some embodiments. In particular, FIG. 12 illustrates 1200 boundaries and feature vectors for a monitoring node parameter in accordance with some embodiments. A graph 1210 includes a first axis representing value weight 1 (“w1”), a feature 1, and a second axis representing value weight 2 (“w2”), a feature 2. Values for w1 and w2 might be associated with, for example, outputs from a Principal Component Analysis (“PCA”) performed on input data. PCA might be one of the features that might be used by the algorithm to characterize the data, but note that other features could be leveraged. The graph 1210 illustrated in FIG. 12 represents compressor discharge temperature for a gas turbine but other values might be monitored instead (e.g., compressor pressure ratio, compressor inlet temperature, fuel flow, generator power, gas turbine exhaust temperature, etc.). The graph 1210 includes an average boundary 1212 (solid line), a minimum boundary 1214 (dotted line), a maximum boundary 1216 (dashed line), and an indication associated with current feature location for the monitoring node parameter (illustrated with an “X” on the graph 1210). As illustrated in FIG. 12, the current monitoring node location is between the minimum and maximum boundaries (that is, the “X” is between the dotted and dashed lines). As a result, the system may determine that the operation of the industrial asset is normal (and no attack or fault is being detected for that monitoring node). FIG. 13 illustrates 1300 three dimensions of threat node outputs in accordance with some embodiments. In particular, a graph 1310 plots monitoring node outputs during normal operation (“+”) and when under attack or experiencing a fault (“−”) in three dimensions, such as dimensions associated with PCA: w1, w2, and w3. Moreover, the graph 1310 includes a dashed line indication of a normal operating space decision boundary 1320.

Note that an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm) and/or be manually input, might comprise a good predictor of measured data in a low dimensional vector space. According to some embodiments, appropriate decision boundaries may be constructed in a multi-dimensional space using a data set which is obtained via scientific principles associated with Design of Experiments (“DoE”) techniques. Moreover, multiple algorithmic methods (e.g., support vector machines or other machine learning based supervised learning techniques) may be used to generate decision boundaries. Since boundaries may be driven by measured data, defined boundary margins may help to create a threat zone in a multi-dimensional feature space. Moreover, the margins may be dynamic in nature and adapted based on a transient or steady state model of the equipment and/or be obtained while operating the system as in self-learning systems from incoming data stream. According to some embodiments, a training method may be used for supervised learning to teach decision boundaries. This type of supervised learning may take into account an operator's knowledge about system operation (e.g., the differences between normal and abnormal operation).

FIG. 14 illustrates a model creation method that might be performed by some or all of the elements of the system 800, 1000 described with respect to FIGS. 8 and 10. At S1410, the system may receive, for each of a plurality of monitoring nodes, a series of normal values over time that represent normal operation of the industrial asset and a set of normal feature vectors may be generated. At S1420, the system may retrieve, for each of the plurality of monitoring nodes, a series of abnormal values over time that represent abnormal operation of the industrial asset and a set of abnormal feature vectors may be generated. The series of normal values might be obtained, for example, by DoE on an industrial control system associated with a power turbine, a jet engine, a locomotive, an autonomous vehicle, etc. At S1430, a decision boundary may be automatically calculated and output for an abnormality detection model based on the sets of normal and abnormal feature vectors. According to some embodiments, the decision boundary might be associated with a line, a hyperplane, a non-linear boundary separating normal space from attacked space, and/or a plurality of decision boundaries. In addition, note that the abnormality detection model might be associated with the decision boundary, feature mapping functions, and/or feature parameters.

Thus, a system may classify the status of an industrial control system having a plurality of monitoring nodes (including sensor, actuator, and controller nodes) as being normal or abnormal. This may enable tailored, resilient, and fault-tolerant control remedies, including the deployment of virtual sensors, against cyber-attacks and faults.

According to some embodiments, time-series data may be received from a collection of monitoring nodes (e.g., sensor, actuator, and/or controller nodes). Features may then be extracted from the time series data for each monitoring node. The term “feature” may refer to, for example, mathematical characterizations of data. Examples of features as applied to data might include the maximum and minimum, mean, standard deviation, variance, settling time, Fast Fourier Transform (“FFT”) spectral components, linear and non-linear principal components, independent components, sparse coding, deep learning, etc. The type and number of features for each monitoring node, might be optimized using domain-knowledge, feature engineering, or ROC statistics. The local features for each monitoring node may be stacked to create the global feature vector. The global feature vector may also contain interactive feature involving two or more monitoring nodes, e.g. cross-correlation between two nodes. According to some embodiments, the features may be normalized and the dimension of the global feature vector can then be further reduced using any dimensionality reduction technique such as PCA. Note that the features may be calculated over a sliding window of the signal time series and the length of the window (and the duration of the slide) may be determined from domain knowledge and inspection of the data or using batch processing.

Note that many different types of features may be utilized in accordance with any of the embodiments described herein, including principal components (weights constructed with natural basis sets) and statistical features (e.g., mean, variance, skewness, kurtosis, maximum, minimum values of time series signals, location of maximum and minimum values, independent components, etc.). Other examples include deep learning features (e.g., generated by mining experimental and/or historical data sets) and frequency domain features (e.g., associated with coefficients of Fourier or wavelet transforms). Embodiments may also be associated with time series analysis features, such as cross-correlations, auto-correlations, orders of the autoregressive, moving average model, parameters of the model, derivatives and integrals of signals, rise time, settling time, neural networks, etc. Still other examples include logical features (with semantic abstractions such as “yes” and “no”), geographic/position locations, and interaction features (mathematical combinations of signals from multiple monitoring nodes and specific locations). Embodiments may incorporate any number of features, with more features allowing the approach to become more accurate as the system learns more about the physical process and threat. According to some embodiments, dissimilar values from monitoring nodes may be normalized to unit-less space, which may allow for a simple way to compare outputs and strength of outputs.

Note that PCA information may be represented as weights in reduced dimensions. For example, data from each monitoring node may be converted to low dimensional features (e.g., weights). According to some embodiments, monitoring node data is normalized as follows:

${S_{normalized}(k)} = \frac{{S_{nominal}(k)} - {S_{original}(k)}}{{\overset{\_}{S}}_{nominal}}$

where S stands for a monitoring node quantity at “k” instant of time. Moreover, the output may then be expressed as a weighted linear combination of basis functions as follows:

$S = {S_{0} + {\sum\limits_{j = 1}^{N}{w_{i}\Psi_{j}}}}$

where S₀ is the average monitoring node output with all threats, w_(j) is the j^(th) weight, and Ψ_(j) is the j^(th) basis vector. According to some embodiments, natural basis vectors are obtained using a covariance of the monitoring nodes' data matrix. Once the basis vectors are known, the weight may be found using the following equation (assuming that the basis sets are orthogonal):

w _(j)=(S−S ₀)^(T)Ψ_(j)

Note that weights may be an example of features used in a feature vector.

Thus, once the observed quantities from monitoring nodes are expressed in terms of feature vectors (e.g., with many features), the feature vectors may then be used as points in a multi-dimensional feature space. During real-time abnormality detection, decisions may be made by comparing where each point falls with respect to a decision boundary that separates the space between two regions (or spaces): abnormal (“attack” or “fault”) space and normal operating space. If the point falls in the abnormal space, the industrial asset is undergoing an abnormal operation such as during a cyber-attack. If the point falls in the normal operating space, the industrial asset is not undergoing an abnormal operation such as during a cyber-attack or fault. In some embodiments, an appropriate decision zone with boundaries is constructed using data sets as described herein with high fidelity models. For example, support vector machines may be used with a kernel function to construct a decision boundary. According to some embodiments, deep learning techniques may be used to construct decision boundaries.

Note that industrial processes may be controlled by Programmable Logic Controllers (“PLC”) with Ethernet ports and IP addresses. Computer worms can live in the PLC and be inactive for many days and can replicate itself into many targets as it finds them. IT and OT protection mechanisms cannot completely keep a PLC safe and different approaches may be needed to protect critical infrastructures from more advanced viruses and allow for an industrial asset to operate (including critical functions) even when being attacked. In particular some embodiments described herein provide a multi-node virtual sensor to sustain operation of an industrial asset with no loss of critical function. The virtual sensor might utilize, for example, some or all of the following information to estimate true signals; (1) information from localization about which nodes were attacked independently, (2) features from monitoring nodes, and (3) a multi-node feature-based virtual sensor model trained a priori from the system data set. Estimated true signals may then be used in the respective nodes instead of attacked signals.

In a control system during operational normalcy, the system may receive time series signals from various monitoring nodes (i.e., sensor, actuator, controller, etc.). Consider a general system (e.g., cyber physical system, software system, bio-mechanical system, network system, communication system, etc.) that contains access to continuous streams of data in the form of time series signals from all these sensors. The time series signals might be generated from a set of output sensor nodes (“v”; both physical and virtual sensors already incorporated in the system), a set of actuator nodes (“u”; both hard and soft actuators generated from open or closed loop system), a set of output of controller nodes (“c”; controller node signals), and a set of reference nodes (“r”; reference signals). According to some embodiments, logicals are also considered as time series signals. Some or all combinations of these signals may be used for the purpose of accommodation with a virtual sensor. The virtual sensor matrix used for this purpose may, for example, estimate not only system sensor outputs, y, when an attack takes place to any of the sensor nodes, but also other signals to the control system; actuator node signals, u, controller node signals, c, reference signals, r, etc. Thus, the virtual sensor-based accommodation system may provide an intelligent system that is designed to estimate signals that are corrupted/attacked from the healthy signals it receives.

Some embodiments described herein may provide a system and method for autonomous reconfigurable virtual sensing to neutralize the effect of anomalies (cyber-attack or faults) in system measurements. The system may provide correct estimates of compromised sensor measurements using uncompromised sensor measurements, thus replacing the comprised sensors with healthy virtual (or “soft”) sensors. The dynamic, resilient estimator may use, according to some embodiments, continuous dynamic learning. For example, virtual sensor estimations may be computed on-line (during operation of the industrial asset) using a dynamic recursive method based on reinforcement learning. The system may be scalable, efficient, and automatically adjust its configuration to accommodate the time-varying uncompromised portion of the system sensors. Note that the system might work with partial, or no, a priori knowledge (e.g., a predetermined virtual sensor model).

Some embodiments described herein may provide a resilient estimation method for sensors of a control system to maintain the integrity and availability of the system under abnormalities such as cyber-attacks and sensor faults/failures. According to some embodiments, a virtual sensing system may satisfy some or all of the following four criteria:

-   -   1. the virtual estimator is unbiased (i.e., zero-mean error);     -   2. the virtual estimator has white innovation (optimal in the         sense of a Cramer-Rao information bound);     -   3. the virtual estimator is statistically efficient (i.e., the         error asymptotically converging to zero); and     -   4. the estimation error standard division is comparable to the         real sensor measurement (so the quality of the virtual         estimations is comparable with the physical sensor measurement).

Note that a system may receive time-series data from a collection of sensor monitoring nodes and replace independently attacked/faulty sensor(s) with their virtual estimate(s) as soon as an abnormality is detected. For each compromised sensor, the system may construct a dynamic, resilient estimator using uncompromised sensors. Each of such dynamic, resilient estimators can use all (or a subset) of the remaining healthy sensors. For example, for each sensor, an Analysis Of Variance (“ANOVA”) or correlation/regression analysis may be performed to rank the contributing factors. The system may then down-select the significant sensors, which are desirable for virtual modeling of each particular on-line sensor estimator. Then, using the aforementioned ANOVA or correlation analysis, the list of the factors to be used in each virtual model may pre-stored into the system, while the virtual sensing model is learnt and adapted on-line.

For example, FIG. 15 shows a correlation heat map 1500 for ten monitoring nodes (sensors/actuators/controller nodes) of a gas turbine. Pairs of values may each have a correlation scores (e.g., from 1 indicating a strong correlation to zero indicating no correlation to −1 indicating a strong negative correlation). For each node, the other nodes whose absolute value of the correlation coefficient is larger than a threshold (e.g., above 0.25) might be stored as main contributing factors. For the critical sensors of the system, or the ones that measure highly non-linear dynamic phenomena, an off-line model could be learned and then adapted on-line. For the rest of the sensors, the on-line learning may start completely model-free and the models may be learned from scratch, in real-time during operation of the industrial asset. Note that a virtual sensor may utilize a lookup table, such as the table 1600 illustrated in FIG. 16 including a virtual sensor matrix 1610 and a signal being estimated 1620, to create a value Y_(i)=C_(i,jXi) (where i represents the signals in feature space being estimated and j represents the number of attacked signals being estimated).

Some embodiments described herein may assume that when the attacked/faulty sensors are removed, the compromised plant remains observable. The continuous learning may be based on Reinforcement Learning (“RL”) methodology. For example, an on-line learning algorithm such as Q-learning or the recursive least-squares method might be used for reinforcement learning. According to some embodiments, the approach might be interpreted as a Partially Observed Markov Decision Process (“POMDP”) with continuous state and action spaces. This POMDP may exhibit, for example, deterministic transitions when configuration transitions are specified by a sensor diagnostics and anomaly classification module. A reinforcement learning engine may work on a deep neural network using Q-learning, referred to as a Deep Q Network (“DQN”). Note that embodiments may be associated with any other type of reinforcement learning instead of (or in addition to) a DQN.

During normal operation, all sensors go into a reinforcement learning method running an on-line learning algorithm (e.g., a recursive least-square, a recursive weighted least square, Q-learning, etc.). This may comprise a “base” configuration of the system. The base configuration remains in place as long as there are no reported abnormalities (i.e., attacks or faults). Once an abnormality is reported, the virtual sensing system automatically adopts into a “partial” configuration for which the healthy sensors are the inputs and the estimates of both the compromised sensors as well normal sensors are the outputs. According to some embodiments, the system may keep the healthy sensors in the estimation loop (i.e., forming a full-order observer) so that at each instant a learnt model for virtual estimations of all sensors is readily available. In this way, if another sensor is suddenly compromised, the system will keep running without facing discontinuity in the underlying optimization procedures of continuous learning. Inside the partial configuration, all or a subset of inputs may be used to compute each particular output. The virtual sensor estimator may be a full-order observer both during the base and partial configurations, hence providing estimates of the measurements of the sensors at all times. The correlation analysis previously described may be used to provide initial guess for the reward/penalty weighting functions in the reinforcement learning.

The continuous learning described herein may serve as a core of a model-free (or partial-model) Kalman filter, which receives partial or full measurements (depending of the status of the system) and provide full-order (or reduced-order) output estimates. A Kalman Temporal Differences technique may be used to implement the Kalman Filter. The described reinforcement learning based continuous learning framework may satisfies the conditions 1 through 4 previously mentioned as long as the plant remains observable through usage of the uncompromised subset of sensors. If the plant loses this observability due to large number of sensors being compromised, the system may still provide virtual sensor estimates but some or all of the conditions may no longer be satisfied. According to some embodiments, an on-line observability test may be performed using the models built on-line and a warning may be generated by the dynamic, resilient estimator in this situation. In addition, statistical tests (such as X² test) may be performed on-line using the innovation signal of the uncompromised sensor measurements, which are readily available verses their virtual estimates, which are part of the virtual estimator outputs.

Note that feature vectors might represent local or global information. For example, FIG. 17 is an example of a global threat protection system 1700 in accordance with some embodiments when multiple gas turbines are involved in a system. In particular, the system 1700 includes three turbines (A, B, and C) and batches of values 1710 from threat nodes are collected for each generated over a period of time (e.g., 60 to 80 seconds). According to some embodiments, the batches of values 1710 from threat nodes overlap in time. The values 1710 from threat nodes may, for example, be stored in a matrix 1720 arranged by time (t₁, t₂, etc.) and by type of threat node (S₁, S₅, etc.). Feature engineering components 1730 may use information in each matrix 1720 to create a feature vector 1740 for each of the three turbines (e.g., the feature vector 1740 for turbine C might include FS_(C1), FS_(C2), etc.). The three feature vectors 1740 may then be combined into a single global feature vector 1750 for the system 1700. Interaction features 1760 may be applied (e.g., associated with A*B*C, A+B+C, etc.) and an anomaly detection engine 1770 may compare the result with a decision boundary and output a threat alert signal when appropriate.

FIG. 18 is a method that might be associated with an on-line operational process in accordance with some embodiments. After observing the monitoring nodes at S1810, the features are extracted at S1820 from each observation of each monitoring node. Then using the dynamic models identified in a training phase, each model then generates filtered or estimated features at S1830 using stochastic estimation techniques, such as Kalman filtering. In some embodiments, dynamic models may not be required to further filter or estimate features. The covariance matrix of the process noise needed for the stochastic estimator is readily available here as Q, which can be computed during training phase as the covariance of the error term e(t). Then the output of each stochastic estimator is compared against its corresponding local decision boundary at S1840, also computed and pre-stored during the training phase. If the local boundary is not passed at S1840, the monitoring node is normal at S1850. Each monitoring node with an estimated feature that violates the corresponding decision boundary is reported as being under attack at 51860.

In the next stage, the system post-processes the localized attack and determines whether the detected attack is an independent attack or it is an artifact of the previous attack through propagation of the effects in the closed-loop feedback control system at 51870. This may provide additional information and insight and may be useful when multiple attacks are detected at the same time.

For example, FIG. 19 is a method of determining whether an attack is an independent attack or a dependent attack according to some embodiments. According to some embodiments, three tests may be performed to determine if an attack should be classified as an “independent attack” or a “dependent attack:” (1) a causal dependency test, (2) a propagation path test, and (3) a time separation test. Together, these three tests are referred to herein as the “attack dependency conformance test.” At S1910, a causal dependency matrix may be used to determine if the current attack was potentially caused by a previous attack. If the current attack could not have been caused by a previous attack at S1910, it is classified as an “independent attack” at S1920. In this causality test, the system may check whether there is a potential causal dependency between the newly detected attack and any previously detected attack on other monitoring nodes. This check might be based on, for example, a binary matrix of causal dependencies between any two nodes (e.g., as described with respect to FIG. 16). The causal dependency matrix might be generated, according to some embodiments, based on domain knowledge. If no such possible dependencies exist, the attack is reported as an “independent attack” at S1920. Otherwise, the system may perform a second check.

In particular, at S1930 a propagation paths map may be used to determine if the current attack potentially propagated from a previous attack. If the current attack could not have propagated from a previous attack at S1930, it is classified as an “independent attack” at S1920. In this propagation test, for each causal dependency the system may check whether a propagation path is fulfilled. This might mean that, for example, if the effect of node 1 being under attack is propagated to node 4, through node 3, then an anomaly in node 1 can cause an anomaly on node 4 only if node 3 is already anomalous. The anomaly propagation paths might also be defined by domain knowledge and pre-stored in the localization system. If no such propagation paths are fulfilled, then the attack is reported an “independent attack” at S1920. Otherwise, the system may perform the third check.

At S1940, control loops time constraints may be used to determine if the current attack was potentially caused by a previous attack based on time separation. If the current attack could not have been caused by a previous attack based on time separation at S1940, it is classified as an “independent attack” at S1920. This time separation test may utilize the fact that if the attacked monitoring under investigation is an artifact of the closed-loop feedback system, then the effect should arise within a time window between the rise time and the settling time of the control loop corresponding to the monitoring node. However, since the system uses a dynamic estimator, a propagation time may need to be added throughout the estimator. Using n features, and p lags in the models, the dynamic estimator will have n*p states, and therefore adds n*p sampling times delay into the system. Therefore, the expected time window for a dependent attack to occur might be defined by:

1.5*τ+n*p<Δt<5*τ+n*p

where Δt is the time after any previously detected attacks on other nodes that has passed checks 1 and 2, and τ is the time constant of the control loop responsible for the current node under investigation. If such a time-separation check is not passed, the system reports the attack as an independent attack at S1920.

If it is determined at S1950 that the current attack meets the time separation test (and, therefore, also meets both the propagation test of S1930 and the causal dependency test of S1940), the current attack is classified as a “dependent attack” at S1950.

Note that other attack and anomaly detection techniques may only provide a binary status of the overall system (whether it is under attack or not). Embodiments described herein may provide an additional layer of information by localizing the attack and determining not only if the system is under attack (or not) but also which node is exactly under attack.

As a result, embodiments may provide a significant and automated solution to attack localization. Note that the attack localization information may be important when responding to the attack, including operator action plans and resilient control under attack. Embodiments described herein may handle multiple simultaneous anomalies in the system, which is beyond the capability of the conventional fault detection systems. This may also let the approaches described herein be used as a fault detection and isolation technique for more sophisticated, multiple-fault scenarios. Further, distributed detection and localization systems enabled by embodiments described herein across multiple equipment and systems may allow for a coordination of data to detect and precisely pin-point coordinated multi-prong attacks. This may further enable a relatively quick way to perform forensics and/or analysis after an attack.

Note that some embodiments may analyze information in the feature space, which has many advantages over working in the original signal spaces, including high-level data abstraction and modeling high dimensional spaces without adding substantial computational complexity. The feature-based method for localization may also extend feature vectors and/or incorporate new features into existing vectors as new learnings or alternate sources of data become available. Embodiments described herein may also enable use of heterogeneous sensor data in a large-scale interconnected system, even when the data comes from many geospatially located heterogeneous sensors (i.e., conventional plant sensors, unconventional sensors such as cell-phone data, logical, etc.). This may offer additional commercial advantages for post-mortem analysis after an attack.

FIG. 20 illustrates a feature time series 2000 of a first attack example comparing the real-time feature of a monitoring node to the modeled feature of a monitoring node via a graph 2010 according to some embodiments. In particular, the examples described with respect to FIGS. 20 through 23 involve the following parameters for a gas power turbine:

-   -   Compressor Discharge Pressure (“CPD”),     -   Compressor Discharge Temperature (“CTD”),     -   Compressor Inlet Temperature (“CTIM”),     -   Turbine Fuel Flow (“FQG”),     -   Generator Electrical Power Output (“DWATT”), and     -   Turbine Exhaust Temperature (“TTXM”).

Consider, for example, an attack on TTXM. In this single attack scenario, the system may want to verify whether it can detect and localize the attacked node. As illustrated in FIG. 20, the attack is detected at t=11 sec. Using the embodiments described herein, the attack is detected within 1 sec and correctly localized to TTXM. FIG. 20 shows the measured feature time series of the detected and localized attack 2030 along with the generated features 2020 estimated using stochastic model-based estimation.

FIG. 21 illustrates a feature time series 2100 via a graph 2110 of a second (stealthy) attack comparing the real-time feature of a monitoring ode to the modeled feature of a monitoring node in accordance with some embodiments. That is, this is again an attack on TTXM but this time the attack simulates a stealthy attack in which the sensor is tampered with slowly over time and/or elaborately. Such stealthy attacks are designed to pass the existing fault diagnosis system and can remain in the control system for a long time without being detected. In this simulation, the attack was applied at t=40 sec. Using the localization methods described herein, the attack was detected at t=105 sec, and is correctly localized to TTXM. FIG. 21 shows the measured feature time series of the detected and localized attack 2130 along with the expected features 2120 estimated using the stochastic model-based estimation.

In a third attack scenario, the system may simulate a simultaneous attack on two monitoring nodes. Two sensors are attacked at the same time, namely CPD and CTD, and both attacks are applied at t=15 sec. Using embodiments described herein, both attacks are truly detected and localized within seconds. Out of the other 4 sensors, 3 are correctly not detected at all. One is detected (DWATT) at a later time, which is dependent attack. The results are summarized in the table 1500 of FIG. 22. In particular, the table 2200 lists the attack nodes 2202 along with associated externally attacked data 2204 and attack detection and localization data 2206.

In this third example (illustrated in the table 2200), there are two externally injected attacks on CPD and CTD. The first attack is detected at t=16 sec and localized to CTD. Since there is no previously detected attack, the causality test fails and this attack is correctly reported as an “independent attack.” The second attack is detected at t=19 sec and correctly localized to CPD. In this case, there is causal dependency and a direct proportion path from CTD to CPD. The causal dependency matrix 2300 for this example is shown in FIG. 23. The matrix 2300 lists each potential attack node and whether or not that node can have an effect on each other node (with a “1” indicating a potential effect and a “0” indicating no potential effect).

The second attack therefore passes both the causality test and the proportion test. However, based on time separation criterion, in order for the CPD attack to be a dependent attack it must have happened within 4.25<Δt<9.5 sec after the CTD detection instance. The actual Δt illustrated in the table 2200 is 3 sec (that is, 19 sec−16 sec). Therefore, the time separation test is not passed and, as a result, the CPD attack is correctly reported as an “independent attack.”

At t=53 sec, the DWATT sensor is also reported as being under attack. Note that there are two previously reported attacks, and the causality and propagation tests pass for both previous attacks (as shown in the matrix 2300). Using the time separation criterion, the DWATT attack instant must be with 15.5<Δt<47 sec after those attacks. The table 2200 lists the actual Δt as Δt=53 sec−16 sec=37 sec for CTD attack and Δt=53 sec−19 sec=34 sec for CPD attack. So, the time separation test passes for both previous attacks and, therefore, the DWATT attack is correctly reported as a “dependent attack.” Note that, based some embodiments described herein, passing the time separation test even for one previously detected attack may still be enough to report DWATT as a dependent attack.

FIG. 24 shows an architecture for an autonomous reconfigurable virtual sensing system 2400. The system 2400 receives time-series measurements 2410 of the sensors as inputs. The measurements are pre-filtered 2420 for de-noising and outlier removal. Denoising may be done, for example, by low pass filtering using law pass filters whose individual cut-off frequencies may be turned based on the individual bandwidths of each sensor. Outlier removal might be performed on-line by computing the standard deviation of measurements over a sliding window. For example, FIG. 25 illustrates a sliding window 2500 including a series of values per second. Referring again to FIG. 24, feature extraction 2440, anomaly detection 2450, and localization techniques 2454 may be used to determine 2452 if there is any anomaly in the sensor (and to specify the particular anomalies). When an anomaly or abnormality exists in the system 2400, all the sensor measurements may be passed, via an indexed selector 2430, to a dynamic, resilient sensing system 2480 that uses an on-line continuous learning technique in accordance with any of the embodiments described herein. When there is an abnormality, the sensors that are determined by conformance matrix logic 2460 as an independent anomaly (i.e., and not an artifact of the propagation of other anomalies through the system 2400) are removed 2470 and the uncomplimented subset of sensors are passed to the dynamic, resilient sensing system 2480. For example, the system 2400 may have N sensors, of which p sensors are normal and q sensors are independently abnormal. Note that both p and q are time-varying but p[k]+q[k]=N at each time instant k. The p normal sensors are specified by the conformance matrix logic 2460 and down-selected via the indexed selector 2430 to be inputted to the dynamic, resilient sensing system 2480. Note that the normal subset may be continuously changing and, as a result, the internal learning configuration of the dynamic, resilient sensing system 2480 is also changing. The on-line continuous learning is used to learn a (potentially) non-linear, time-varying, and variable-structure function ƒ that relates the next-step values of the sensors estimates to the current and lagged values of the sensor estimates (i.e., outputs of the dynamic, resilient estimator) and the current and lagged values of the normal sensor measurement (i.e., inputs of the dynamic, resilient estimator) as follows:

Ŝ=[Ŝ ₁ Ŝ ₂ . . . Ŝ _(N)]^(T)

Ŝ ^(n)=[Ŝ ₁ ^(n) Ŝ ₂ ^(n) . . . Ŝ _(p) ^(n)]^(T) ,Ŝ ^(a)=[Ŝ ₁ ^(a) Ŝ ₂ ^(a) . . . Ŝ _(q) ^(a)]^(T)

Ŝ[K+1]=ƒ(Ŝ[k], . . . ,Ŝ[k−l],Ŝ ^(n)[k], . . . ,Ŝ ^(n)[k−m],k)

where l and m are the number of lags used for outputs and inputs, respectively; and the normal and abnormal sensors are depicted with superscripts, n and a, respectively. Note that both l and m might also be found automatically on-line and they might be time varying as well, hence making fa variable structure. For substantially large-scale systems, a sparsity structure might be exploited in the dynamic, resilient sensing system 2480 to have a reduced-order observer, or to have a full order observer in which continuous learning computations may applied at each configuration change event until convergence is achieved. Estimator parameters may then remain constant until the next configuration change occurs.

Some embodiments described herein may work in a feature space of much smaller dimension (as compared to the sensor space) and cast the problem as a generic optimization problem. Such an approach may not need training associated with specific attack scenarios, thus reducing development time and making the approach scalable. Moreover, because only a single model is required for each of feature extraction and reconstruction, the memory requirements may be substantially reduced.

Embodiments may provide a resilient estimation method for sensors of a control system to maintain the integrity and availability of the system during abnormalities such as cyber-attacks, sensor faults, and/or sensor failures. The system may receive time-series data from a collection of sensors and replace attacked or faulty sensors with virtual estimates as soon as detection, localization, and/or conformance matrix logic sub-modules (e.g., of a sensor diagnostics and anomaly classification module) identify the problem. For each compromised sensor, the system may construct a virtual estimator that uses the uncompromised sensors. Each of such virtual estimators may use all or a subset of the remaining healthy sensors.

FIG. 26 is a method according to some embodiments. At S2610, a latent feature space of lower dimension as compared to the temporal sensor space may be constructed using only normal operational data. At S2620, the functions to project the variables from temporal sensor space to latent feature space (and back from latent feature space to temporal sensor space) are constructed based on normal operational data. During an attack or fault, constrained optimal values of the latent features are computed to minimize the reconstruction error of the healthy and uncompromised sensors at S2630. At S2640, the optimal values from latent feature space are then projected back to the complete temporal sensor space to provide estimates of the compromised sensors.

Consider, for example, a discrete time system where the sampling time is T_(s) and any time point, t, can be approximated by an integer k:t_(k)=kT_(s) such that t≅t_(k). The temporal sensor space

∈

^(N) ^(s) ^(×w) contains time series information of N_(s) sensors over a window of w samples. The latent feature space

∈

^(N) ^(f) contains the N_(f) features extracted from the temporal sensor space with N_(f)<<N_(s)×w. The advantage of operating on a space with reduced dimensions is the reduced computational complexity that makes the reconstruction optimization problem more tractable.

A goal of the feature extraction phase may be to derive the encoding map ε:

→

from the sensor space to the feature space and the decoding map

:

→

from the feature space back into the temporal sensor space in such a way that minimizes the reconstruction error of the healthy sensors. In other words, an optimization problem is solved:

$\underset{g}{\arg \mspace{14mu} \min}{{X_{h} -}}$

subject to g_(LB)≤g≤g_(UB), where X_(h)∈

represents the healthy sensors in temporal sensor space,

∈

represents the model-predicted healthy sensor values and {g, g_(LB), g_(UB)}∈

represent the system state in the feature space, its lower and upper bounds, respectively. Note that the model for

involves the decoding map function:

=ƒ(u_(critical),

(g)), where ƒ represents the predictive model that uses the critical subset of measurements, u_(critical) together with the decoded features.

Embodiments of the encoder-decoder map may include: (i) a Principal Component Analysis (“PCA”), and (ii) deep autoencoders. Note, however, that any encoder-decoder map that captures the important characteristics of the temporal sensor space might be embedded in the described optimization problem and is therefore a candidate for this approach.

FIG. 27 is an example 2700 of features in Principal Component (“PC”) space in accordance with some embodiments. The example 2700 includes a three-dimensional graph 2710 of a feature associated with three variables: x1, x2, and x3. According to some embodiments, two PCs may be sufficient to capture the variation of the normal operational dataset. The optimization problem may solve for the optimal coordinates in the latent feature space, g₁ 2720 and g₂ 27230. In this example, the temporal sensor space is three-dimensional,

∈

³, and the latent feature space is two-dimensional,

∈

².

In the PC-based method, the encoding map may be the principle component projection of the sensor space to the latent feature space and the corresponding linear reconstruction map may be used as the decoder function. The PC space (i.e., the latent feature space) may be obtained by finding the dominant eigenvectors of the covariance of the normal operational data. The PCA-based approach may have the advantage of using a set of affine transformations, which allows the optimization problem to be solved for reconstruction during attack to remain convex thereby guaranteeing a global optimality of the solution.

FIG. 28 is an example 2800 of an auto-encoder including encoder and decoder parts according to some embodiments. An encoder 2880 portion includes an input 2810 (x) and code 2820 (Z). A decoder 2890 portion includes the code 2820 (Z) and an output 2830 (x′). Note that an ability to model non-linear and more complex set of transformations may gained by using deep autoencoders instead of PCA. In this case, the transformations that are used are not linear and the convexity of the optimization problem (and therefore the global optimality guarantee) is lost. However, the use of non-linear transformations in many scenarios would achieve a better cost function value for the aforementioned optimization problem and thus represents a better approximation. A deep Convolutional Neural Network or Recurrent Neural Network (“RNN) may be used to construct the autoencoder and be trained using only normal operational data. Once trained, the autoencoder network can be readily decomposed into the encoder and decoder maps where the output at the bottleneck constitutes the latent feature space.

To identify the optimal values of the feature vectors during an attack, the following optimization problem might be solved:

$\underset{l}{\arg \mspace{14mu} \min}\mspace{14mu} {C\left( {X_{h} - {f\left( {u_{critical},{(l)}} \right)}} \right)}$

where C:

→

is the cost function to be minimized and l∈

is the feature vector whose reconstruction minimizes the error between the unattacked healthy measurements, X_(h), and estimates of the healthy sensor,

(l). The optimization problem may preferably be constrained as described previously but can also be unconstrained, as shown above, based on the system and sensor characteristics. The cost function can be created in various ways where less or zero weights are given to the compromised sensor measurements and higher weights are given to uncompromised sensor measurements. The weights can be a continuous function of the confidence levels that particular sensors are attacked. In some embodiments, the optimization problem is a Quadratic Programming (“QP”) problem for the PCA case that is solved by an active-set QP solver and a Non-linear Programming Problem (“NLP”) for the auto-encoder case that is solved by a Sequential Quadratic Programming (“SQP”) solver. However, it should be noted that any numerical non-linear programming solver or a heuristic optimization problem solution method would be equally applicable toward solving the virtual sensing optimization problem.

FIG. 29 illustrates a system 2900 associated with an optimization problem 2950 in accordance with some embodiment. To help ensure that the optimization problem 2950 results in realistic feature space coordinates, bounds on the values of the feature vector may be provided as constraints to the optimization problem. Such bounds might be derived, for example, based on an analysis of the sensor data to study the excursion regions of the feature vectors and/or based on the knowledge of the physics of the system. The rate bounds might, according to some embodiments, be functionalized on a current operation mode and current operation conditions.

The initialization of the optimization problem might be done, according to some embodiments, using a feature set extracted from the last known health set of values. For future iterations, the reconstructed values might be used for initializations.

Finally, a limit may be put on the increment that can happen to the reconstructed values from the previous time-step (i.e., rate limits in the feature space) to help ensure bumpless transfer to a fault condition and to help ensure realistic time-dependent behavior of the virtual sensors. Again, such rate bounds can be derived based on analysis of the normal sensor dataset as well as knowledge of the system characteristics. The rate bounds may, in some embodiments, be functionalized based on a current operation mode and current operation conditions.

Thus, some embodiments may provide a scalable architecture that requires no knowledge of an attack surface and/or attack type. Embodiments may be suitable for real-time applications because the problem is cast in as an optimization problem that can be solved efficiently in real-time. Moreover, operation mode dependent programming of upper, lower, and/or rate bounds on the optimization problem may help provide: (i) realistic sensor reconstructions, (ii) smooth and bumpless time variation of the virtual estimates, and/or (iii) an efficient solution to the optimization problem. Further, embodiments may provide relatively memory-efficient modeling.

According to some embodiments, supervised learning may further enhance cyber-attack neutralization. For example, FIG. 30 is a method in accordance with some embodiments. At S3010, a dynamic, resilient estimator may split a temporal monitoring node space into a first subspace and a second subspace for each of at least one attack vector. Each attack vector may be according to some embodiments, associated with at least one abnormal monitoring node. The first subspace may represent abnormal monitoring nodes while the second subspace may represent monitoring nodes that are not abnormal.

For each attack vector, at S3020 the system may construct a neutralization model trained using supervised learning and the second subspace. Responsive to an indication of a particular abnormal monitoring node or nodes that are currently being attacked or experiencing a fault, at S3030 the system may automatically invoke the appropriate neutralization model to determine estimated values of the particular abnormal monitoring node or nodes. At S3040, the series of current monitoring node values from the abnormal monitoring node or nodes may be replaced with the estimated values.

In this way, embodiments may provide a resilient estimation method for sensors of a control system to maintain the integrity and availability of the system under abnormalities such as cyber-attacks and sensor faults and/or failures. The system may receive time-series data from a collection of sensor monitoring nodes and replace independently attacked and/or faulty sensors with their virtual estimates after the problem is reported by detection, localization and conformance matrix logic and/or a sensor diagnostics and anomaly classification model. Moreover, neutralization models may be developed for the attack vectors in the attack surface from normal operation data. The suitable model may then be invoked during an attack to reconstruct the compromised sensor values from the uncompromised sensor values.

The temporal sensor space

∈

^(N) ^(s) ^(×w), which contains the time series information of N_(s) sensors over a window of w samples, may be split into two subspaces

_(h)∈

^(N) ^(h) ^(×w) and

_(a)∈

^(N) ^(a) ^(×w) for each attack vector

∈

, where

is the attack surface under consideration and

=

_(h)∪

_(a). N_(h) and N_(a) are respectively the number of healthy sensors and attacked sensors in the attack vector with N_(s)=N_(a)+N_(h).

For each

∈

, a neutralization model

∈

:

_(h)→

_(a) may be constructed and trained with appropriately segmented normal data. During an attack, a detection and localization module may identify the attack vector

and the corresponding neutralization model

may be invoked to reconstruct the values of the healthy sensors from the attacked sensors. In the supervised learning approach to neutralization, a goal may be to train the models to predict information in

_(a) based on information available in

_(h). Note that the models might be structured in a few different ways to achieve this.

For example, FIG. 31 is a schematic of a system 3100 showing a “multiple model” approach for neutralization according to some embodiments. The system 3100 includes a localization model 3110 that reports a problem (cyber-attack or fault) and a sensor data re-direction element 3150 that routes sensor data to an appropriate one of a set of neutralization models 3190 (e.g., models 1 through N in FIG. 31). Here, the individual models 3190 (1 through N) are developed for each attack vector in the catalogue which are trained off-line. During deployment, a sensor data redirection switch (element 3150) redirects the data stream to the appropriate model 3190 based on the recommendation of the localization module so that compromised sensors can be appropriately reconstructed.

In this approach, one model 3190 is trained for each attack vector. The available normal dataset is segmented to fabricate heathy sensor space

_(h), which is the input to the model and ideal training values/tags for the attacked sensor space

_(a), which is the output of the model. Given enough normal dataset,

_(h) and

_(a) can be constructed for all attack vectors

∈

to train the respective models. Examples of models are deep RNN or CNN (or a combination of those) may be capable to of exploiting correlations in multiple dimensions (in this case temporal and across multiple sensors) and also be relatively easy to deploy for substantially real time applications. Moreover, a generative model such as a Generative Adversarial Network (“GAN”) may be constructed on top of the base models to gracefully accommodate scenarios not encountered during the training phase.

FIG. 32 is a multiple model method in accordance with some embodiments. At S3210, a single neutralization mode is trained for each attack vector (e.g., if there are ten sensors s1 through s10, a model might be created for s1 only being attacked, s1 and s2 being attacked, s2 only being attacked, etc.). At S3220, an indication of abnormality is received from a localization module (e.g., indicating which sensors are currently abnormal). At S3230, the appropriate neutralization model is selected and used to replace the abnormal values with estimated, virtual values at S3240.

As another approach, FIG. 33 is a system 3300 schematic showing a “single model” approach for neutralization according to some embodiments. A localization module 3310 provide an indication of abnormality to a data coder 3350 when provides coded sensor data to a neutralization model 3390. Here, the single model 3350 is developed and trained off-line over all the attack vectors in the catalogue, and the data streams from the attacked nodes are coded appropriately. During deployment, a data coder switch (2650) codes the data stream from the attacked sensors appropriately based on the recommendation of the localization module 3310 so that compromised sensors can be appropriately identified and reconstructed by the neutralization module 3390.

This approach is conceptually similar to the multiple model approach besides the fact only a single model is trained for all attack vectors. To achieve this, the normal data set is segmented in a similar fashion as before. However, to construct training inputs, the system keeps the

_(h) as before and encodes the attacked sensor space with out-of-range values (values that the sensors are not expected to encounter during normal or attack scenarios) to create a fake input space

_(i) having the same dimensions as S. The encoding map may be a set of predetermined and/or constant values or may be chosen dynamically based on the range of the healthy sensors to maximize performance. Similarly, for the fake output space

_(o), the values from

_(a) may be preserved and the healthy sensor space is padded. In this way,

,

_(i), and

_(o) may all have the same dimensions and a single model (with N_(s) inputs and N_(s) outputs) may be be trained for neutralization with methods to appropriately pad input data in an attack scenario. As before, RNN and CNN may be the models of choice (but other approaches might also be used). A GAN may be constructed on top of other models to accommodate unforeseen scenarios. The single model approach may reduce accuracy in favor or memory savings as compared to the multiple model approach.

FIG. 34 is a single model method in accordance with some embodiments. At S3410, the system trains a single neutralization model. At 53420, out-of-bound (out-of-range) values may be coded for abnormal nodes during the training. An indication of abnormality is received from a localization module at 53430, and out-of-bound values are provided to the neutralization model for the abnormal nodes at 53440. The abnormal sensor values are replaced with estimated, virtual values at 53450 to simulate sensor operation based on the values that are currently being provided by healthy monitoring nodes.

FIG. 35 is schematic showing a “two-layer” method (deploying supervised and unsupervised neutralization algorithms simultaneously) according to some embodiments. An attack detection and localization module 3510 receives a complete sensor stream and provides a comprised data stream to a neutralization module selector 3520 along with an attack vector selection. If the attack vector is “in catalogue” and therefore a dedicated supervised neutralization module 3530 has already been trained, then that model is selected (the “first layer” as described with respect to FIGS. 31 and 32). If the attack vector is “out of catalogue” and therefore no dedicated supervised neutralization module 3530 has already been trained, then a single unsupervised neutralization model 3540 is selected instead (the “second layer” as described with respect to FIGS. 33 and 34). The selected model is then used to provide information to a data aggregator module 3550. The neutralization module selector 3520 thus acts as an arbitrator to select the reconstruction module based on output of the attack detection and localization module 3510. If the attack vector in question is included in the training catalogue for the supervised module 3530, then the supervised module 3530 is selected for neutralization. Otherwise, the unsupervised module 3540 is selected for neutralization. Finally, the data aggregator module 3550 may take the uncompromised data stream and reconstructed data stream (for compromised nodes) and put them together so that a controller will receives the data stream in an expected format.

For the multiple model architecture, a model selector module may reside between a detection and localization module and an actual neutralization module to invoke the correct model for the given attack vector as shown FIG. 31. For the single model architecture, a coding module needs to be inserted instead to replace the compromised sensor data-stream with out-of-bound values so that the neutralization module can recognize the attack vector and act accordingly. For either case, a deep neural network-based model architecture may be fairly standard to deploy on a Graphical Processing Unit (“GPU”) and/or a Tensor Processing Unit (“TPU”) to achieve a substantially real time prediction. Finally, this may be combined with the unsupervised neutralization methodologies described herein where the unsupervised methodology acts as a first line of defense and the supervised methodology is deployed for scenarios where the other approach does not meet a required prediction accuracy. In this way, the models described may be trained using only on a subset of the attack surface (and hence require less development time).

FIG. 36 is a two-layer method in accordance with some embodiments. At S3610, the system receives an indication of abnormality from a localization module (e.g., indicating which nodes are currently being attacked or experiencing a fault). At S3620, the system selects a supervised or unsupervised neutralization module (based on the nodes being attacked or experiencing a fault). If supervised is selected at S3620, models trained for each attack vector are accessed at S3630 and the appropriate supervised model may be selected at S3632. If unsupervised is selected at S3620, a single neutralization model (trained with out-of-bound values inserted for faulty nodes) is accessed at S3640, and out-of-bounds values are coded into the data stream for currently attacked and/or faulty nodes at S3642. In either case, the abnormal sensor values are replaces with estimated, virtual values from the selected neutralization model (generated based on healthy data) at S3650.

Thus, some embodiments may provide a scalable architecture and minimal reliance on attack data. Moreover, embodiments may be suitable for real time application because the attack models may be implemented as deep neural networks that are amenable to executed by a GPU or a TPU. Moreover, modeling approaches described herein may be relatively memory efficient.

The embodiments described herein may be implemented using any number of different hardware configurations. For example, FIG. 37 is a block diagram of an industrial asset protection platform 3700 that may be, for example, associated with any of the systems described herein. The industrial asset protection platform 3700 comprises a processor 3710, such as one or more commercially available Central Processing Units (“CPUs”) in the form of one-chip microprocessors, coupled to a communication device 3720 configured to communicate via a communication network (not shown in FIG. 37). The communication device 3720 may be used to communicate, for example, with one or more remote monitoring nodes, user platforms, digital twins, etc. The industrial asset protection platform 3700 further includes an input device 3740 (e.g., a computer mouse and/or keyboard to input virtual sensor parameters, localization data, modeling information, etc.) and/or an output device 3750 (e.g., a computer monitor to render a display, provide alerts, transmit recommendations, and/or create reports). According to some embodiments, a mobile device, monitoring physical system, and/or PC may be used to exchange information with the industrial asset protection platform 3700.

The processor 3710 also communicates with a storage device 3730. The storage device 3730 may comprise any appropriate information storage device, including combinations of magnetic storage devices (e.g., a hard disk drive), optical storage devices, mobile telephones, and/or semiconductor memory devices. The storage device 3730 stores a program 3712 and/or a virtual node 3714 for controlling the processor 3710. The processor 3710 performs instructions of the programs 3712, 3714, and thereby operates in accordance with any of the embodiments described herein. For example, the processor 3710 may use an actor-critic platform to tune a dynamic, resilient state estimator for a sensor node and output tuning parameters for a controller that improve operation of an industrial asset during the current attack or fault. The actor-critic platform may include, for example, a dynamic, resilient state estimator, an actor model, and a critic model. According to some embodiments, a value function of the critic model is updated by the processor 3710 for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.

The programs 3712, 3714 may be stored in a compressed, uncompiled and/or encrypted format. The programs 3712, 3714 may furthermore include other program elements, such as an operating system, clipboard application, a database management system, and/or device drivers used by the processor 3710 to interface with peripheral devices.

As used herein, information may be “received” by or “transmitted” to, for example: (i) the industrial asset protection platform 3700 from another device; or (ii) a software application or module within the industrial asset protection platform 3700 from another software application, module, or any other source.

In some embodiments (such as the one shown in FIG. 37), the storage device 3730 further stores a virtual node database 3800. An example of a database that may be used in connection with the industrial asset protection platform 3700 will now be described in detail with respect to FIG. 38. Note that the database described herein is only one example, and additional and/or different information may be stored therein. Moreover, various databases might be split or combined in accordance with any of the embodiments described herein.

Referring to FIG. 38, a table is shown that represents the virtual node database 3800 that may be stored at the industrial asset protection platform 3700 according to some embodiments. The table may include, for example, entries identifying industrial assets to be protected. The table may also define fields 3802, 3804, 3806, 3808, 3810, 3812, 3814 for each of the entries. The fields 3802, 3804, 3806, 3808, 3810, 3812, 3814 may, according to some embodiments, specify: an industrial asset identifier 3802, an industrial asset description 3804, a virtual node identifier 3806, a matrix 3808, description 3810, a status 3812, and a shadow value 3814. The virtual node database 3800 may be created and updated, for example, when a new physical system is monitored or modeled, an attack is detected, etc.

The industrial asset identifier 3802 and industrial asset description 3804 may define a particular machine or system that will be protected. The virtual node identifier 3806 might be a unique alphanumeric code identifying a particular sensor or controller being modeled for the industrial asset. The matrix 3808 might be associated with a correlation heat map or lookup table, the description 3810 might indicate what sensor is being estimated, and the status 3812 might indicate, for example, whether the associated node is operating normally or is currently undergoing a cyber-attack, experience a fault, and/or is being replaced (e.g., with a “predicted” or shadow value 314).

FIG. 39 is an example of a virtual sensor display 3900 that might be used, for example, to provide information 3910 to an operator and/or to provide an interactive interface allowing an operator to adjust virtual nodes as appropriate. Selection of an element on the display 3900 (e.g., via a touchscreen) might, for example, result in the presentation of more information about that element (e.g., via a popup window), allow an operator to adjust parameters associated with the element, etc.

FIG. 40 shows a system 4000 that uses a dynamic, resilient sensing system 4070 in a controls and analytics platform. In particular, sensor measurement time-series values are combined 4040 with plant set-points and the result goes to a switch with bumpless transfer control 4030 via a controller 4010 and a plant 4020. The sensors measurements time-series values also undergo pre-filtering 4050 before being passed to the dynamic, resilient sensing system 4070 via a first indexed selector 4060. A second indexed selector 4080, controlled by sensor diagnostics and anomaly classification 4090 receives data from the dynamic, resilient sensing system 4070 and provides information for sensor software redundancy, sensor health analysis, and control of the switch 4030.

The healthy estimates of the abnormal sensors and their indices are the provided into the control loop and are used to replace of the original abnormal measurements. This is done through the switch with bumpless transfer control 4030 that might utilize any bumpless switching mechanism (such as a bumpless Proportional-Integral-Derivative (“PID”), a switched dynamic controller, a smooth transition controller, etc.). During normal operation, the switch 4030 is open and thus the plant sensor measurements are passed through the feedback loop.

When an anomaly is detected, the switch 4030 is closed and the virtual healthy estimated of the abnormal sensors are passed to the control feedback loop. The bumpless transfer control may help ensure smoothness of the signals during a transition and avoids abrupt (and potentially destabilizing) spikes in the control loop. The sensor measurement time-series may be a combination of the virtual sensor estimates (replacing the independently compromised sensors in accordance with any of the embodiments described herein) and the original plant sensors that are not independently compromised. This mechanism may help neutralize the effect of the abnormal measurements (which could be due to the abnormality of the sensor itself, such as a sensor fault, or a cyber-attack on the sensor) and maintains healthy operations of the plant. Note that the switch 4030 can be re-opened as soon as the plant status is back to normal (again with bumpless transfer control) or may remain latched in for some additional period time and opened after that delay. According to some embodiments, the estimates of the abnormal measurement are also used for further health analytics. The system 4000 may also produce estimates of healthy measurements in real-time. These estimates may remain in “stand-by” and when any of those sensors becomes abnormal the system 4000 can adopt a new configuration. According to some embodiments, these estimates also provide software redundancy to increase the reliability of plant operations. Moreover, the system 400 may employ a virtual or shadow controller (e.g., including an actuator) in accordance with any of the embodiments described herein.

Some embodiments described herein may provide systems and/or methods for autonomous reconfigurable virtual sensing to neutralize the effect of anomalies (e.g., cyber-attack or faults) in system measurements. Embodiments may provide correct estimates of compromised nodes using uncompromised information, thus replacing the comprised node with healthy virtual (or “soft”) information. According to some embodiments, a dynamic, resilient estimator may get a portion of the sensor measurements that are healthy and uncompromised and then use that information to provide healthy estimations for the measurements of sensors that are compromised. Similarly, a shadow controller might replace a compromised controller node. Moreover, embodiments may improve cyber security and accommodate critical functionality associated with an industrial asset. Some embodiments may bypass signals from attacked sensors using estimated signals created using data from healthy sensors. This approach may allow for a correction mechanism to sustain operations while alerting operators about a cyber-attack or fault.

Some embodiments may eliminate certain sensors to reduce costs (e.g., in a gas turbine one could replace low-speed and high-speed shaft speed sensors with virtual sensing). Moreover, embodiments may provide a surrogate backup for critical and/or unreliable sensors and improved control performance (by having more sensors available including those that may be difficult or expensive to directly measure). As a result, asset down-time because of cyber incents and faults may be limited to increase asset reliability and availability via software and algorithmic redundancy. Embodiments may also provide improved control performance by having more sensors available (including those difficult or expensive to directly measure) and may expand the model base and/or retrain a single model readily for an expanded attack surface. Embodiments may also provide for continuous learning to adapt to changing conditions (e.g., actuator degradation) in a way that requires minimal retraining.

The following illustrates various additional embodiments of the invention. These do not constitute a definition of all possible embodiments, and those skilled in the art will understand that the present invention is applicable to many other embodiments. Further, although the following embodiments are briefly described for clarity, those skilled in the art will understand how to make any changes, if necessary, to the above-described apparatus and methods to accommodate these and other embodiments and applications.

Although specific hardware and data configurations have been described herein, note that any number of other configurations may be provided in accordance with embodiments of the present invention (e.g., some of the information associated with the databases described herein may be combined or stored in external systems). For example, although some embodiments are focused on gas turbine generators, any of the embodiments described herein could be applied to other types of assets, such as dams, the power grid, autonomous vehicles, military devices, etc.

According to some embodiments, virtual sensor data may replace a corresponding sensor monitoring node when needed. According to other embodiments, similar approaches may be taken with respect to other types of monitoring nodes. For example, virtual data might replace an actuator monitoring node or a controller monitoring node that is currently experiencing an abnormality.

The present invention has been described in terms of several embodiments solely for the purpose of illustration. Persons skilled in the art will recognize from this description that the invention is not limited to the embodiments described, but may be practiced with modifications and alterations limited only by the spirit and scope of the appended claims. 

1. A system to protect an industrial asset, comprising: a plurality of monitoring nodes, each monitoring node generating a series of current monitoring node values over time that represent a current operation of the industrial asset; an abnormality detection and localization computer to receive the series of current monitoring node values and to output an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault; a controller of the industrial asset; and an actor-critic platform, coupled to the abnormality detection and localization computer and the controller, to tune a dynamic, resilient state estimator for a sensor node and to output tuning parameters for the controller that improve operation of the industrial asset during the current attack or fault, including: the dynamic, resilient state estimator, an actor model that tunes the parameters for the controller as appropriate, and a critic model, wherein a value function of the critic model is updated for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.
 2. The system of claim 1, wherein the controller is based on substantially real-time optimization.
 3. The system of claim 1, wherein the controller comprises an adaptive model predictive controller.
 4. The system of claim 1, wherein the abnormal monitoring node is associated with an actuator or controller.
 5. The system of claim 1, wherein the actor-critic platform uses reinforcement learning to reconstruct a full state using information from monitoring nodes that are not abnormal.
 6. The system of claim 5, wherein the reinforcement learning is implemented via a deep Q network or any other type of reinforcement learning.
 7. The system of claim 1, wherein the dynamic, resilient state estimator is trained off-line using a high-fidelity model of the industrial asset.
 8. The system of claim 7, wherein the dynamic, resilient state estimator is updated on-line via continuous learning during operation of the industrial asset.
 9. The system of claim 1, wherein the tuning parameters are associated with at least one of: (i) optimization constraints, (ii) set points, and (iii) weights.
 10. The system of claim 1, wherein the actor-critic platform uses reinforcement learning, implemented via a deep Q network or any other type of reinforcement learning, to reconstruct a full state using information from monitoring nodes that are not abnormal, the critic model updates weights of the deep Q network, and the actor model updates parameters of the controller.
 11. The system of claim 10, wherein the parameters of the controller updated by the actor model are associated with at least one of: (i) weighting matrices, (ii) constraint types, (iii) constraint values, and (iv) key plant model parameters.
 12. The system of claim 1, wherein the dynamic, resilient state estimator is associated with at least one of: (i) an indexed selector, (ii) bumpless transfer control, and (iii) a proportional-integral-derivative controller, (iv) a switched dynamic control, (v) a smooth transition controller, and (vi) an adaptive controller.
 13. The system of claim 1, wherein the industrial asset is associated with at least one of: (i) a turbine, (ii) a gas turbine, (iii) a wind turbine, (iv) an engine, (v) a jet engine, (vi) a locomotive engine, (vii) a refinery, (viii) a power grid, (ix) a dam, and (x) an autonomous vehicle.
 14. A computerized method to protect an industrial asset associated with a plurality of monitoring nodes, each monitoring node generating a series of current monitoring node values over time that represent current operation of the industrial asset, comprising: receiving, by an abnormality detection and localization computer, the series of current monitoring node values; outputting, by the abnormality detection and localization computer, an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault; tuning, by an actor-critic platform coupled to the abnormality detection and localization computer and a controller, a dynamic, resilient state estimator for a sensor node; and outputting, by the actor-critic platform, tuning parameters for a controller that improve operation of the industrial asset during the current attack or fault, wherein the actor-critic platform includes the dynamic, resilient state estimator, an actor model, and a critic model such that a value function of the critic model is updated for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.
 15. The method of claim 14, wherein the actor-critic platform uses reinforcement learning to reconstruct a full state using information from monitoring nodes that are not abnormal.
 16. The method of claim 15, wherein the reinforcement learning is implemented via a deep Q network or any other type of reinforcement learning.
 17. The method of claim 14, wherein the dynamic, resilient state estimator is trained off-line using a high-fidelity model of the industrial asset.
 18. The method of claim 17, wherein the dynamic, resilient state estimator is updated on-line via continuous learning during operation of the industrial asset.
 19. The method of claim 14, wherein the tuning parameters are associated with at least one of: (i) optimization constraints, (ii) set points, and (iii) weights.
 20. A non-transitory, computer-readable medium storing instructions that, when executed by a computer processor, cause the computer processor to perform a method to protect an industrial asset associated with a plurality of monitoring nodes, each monitoring node generating a series of current monitoring node values over time that represent current operation of the industrial asset, the method comprising: receiving, by an abnormality detection and localization computer, the series of current monitoring node values; outputting, by the abnormality detection and localization computer, an indication of at least one abnormal monitoring node that is currently being attacked or experiencing a fault; tuning, by an actor-critic platform coupled to the abnormality detection and localization computer and a controller, a dynamic, resilient state estimator for a sensor node; and outputting, by the actor-critic platform, tuning parameters for a controller that improve operation of the industrial asset during the current attack or fault, wherein the actor-critic platform includes the dynamic, resilient state estimator, an actor model, and a critic model such that a value function of the critic model is updated for each action of the actor model and each action of the actor model is evaluated by the critic model to update a policy of the actor-critic platform.
 21. The medium of claim 20, wherein the actor-critic platform uses reinforcement learning, implemented via a deep Q network or any other type of reinforcement learning, to reconstruct a full state using information from monitoring nodes that are not abnormal, the critic model updates weights of the deep Q network, and the actor model updates parameters of the controller.
 22. The medium of claim 21, wherein the parameters of the controller updated by the actor model are associated with at least one of: (i) weighting matrices, (ii) constraint types, (iii) constraint values, and (iv) key plant model parameters. 